# Authors:
#   Petr Vobornik <pvoborni@redhat.com>
#
# Copyright (C) 2013  Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.

"""
User tests
"""

from ipatests.test_webui.crypto_utils import generate_csr
from ipatests.test_webui.ui_driver import UI_driver
from ipatests.test_webui.ui_driver import screenshot
import ipatests.test_webui.data_user as user
import ipatests.test_webui.data_group as group
import ipatests.test_webui.data_netgroup as netgroup
import ipatests.test_webui.data_hbac as hbac
import ipatests.test_webui.data_pwpolicy as pwpolicy
import ipatests.test_webui.test_rbac as rbac
import ipatests.test_webui.data_sudo as sudo

import pytest

try:
    from selenium.webdriver.common.by import By
    from selenium.webdriver.common.keys import Keys
    from selenium.webdriver.common.action_chains import ActionChains
except ImportError:
    pass

EMPTY_MOD = 'no modifications to be performed'
USR_EXIST = 'user with name "{}" already exists'
USR_ADDED = 'User successfully added'
INVALID_SSH_KEY = "invalid 'sshpubkey': invalid SSH public key"
INV_FIRSTNAME = ("invalid 'first': Leading and trailing spaces are "
                 "not allowed")
FIELD_REQ = 'Required field'
ERR_INCLUDE = 'may only include letters, numbers, _, -, . and $'
ERR_MISMATCH = 'Passwords must match'
ERR_ADMIN_DISABLE = ('admin cannot be deleted or disabled because '
                     'it is the last member of group admins')
ERR_ADMIN_DEL = ('user admin cannot be deleted/modified: privileged user')
USR_EXIST = 'user with name "{}" already exists'
ENTRY_EXIST = 'This entry already exists'
ACTIVE_ERR = 'active user with name "{}" already exists'
DISABLED = 'This entry is already disabled'
LONG_LOGIN = "invalid 'login': can be at most 32 characters"


@pytest.mark.tier1
class user_tasks(UI_driver):
    def load_file(self, path):
        with open(path, 'r') as file_d:
            content = file_d.read()
        return content

    def create_email_addr(self, pkey):
        """
        Piece an email address together from hostname due possible different
        DNS setup
        """

        domain = '.'.join(self.config.get('ipa_server').split('.')[1:])
        return '{}@{}'.format(pkey, domain)

    def add_default_email_for_validation(self, data):
        """
        E-mail is generated automatically and we do not know domain yet in
        data_user so in order to validate all mail fields we need to get it
        there.
        """
        mail = self.create_email_addr(user.DATA.get('pkey'))

        for ele in data['mod_v']:
            if 'mail' in ele:
                ele[2].append(mail)

        return data

    def assert_user_auth_type(self, auth_type, enabled=True):
        """
        Check if provided auth type is enabled or disabled for the user
        :param auth_type: one of password, radius, otp, pkinit, hardened, idp
        or passkey
        :param enabled: check if enabled if True, check for disabled if False
        """
        s_checkbox = 'div[name="ipauserauthtype"] input[value="{}"]'.format(
            auth_type)
        checkbox = self.find(s_checkbox, By.CSS_SELECTOR, strict=True)
        assert checkbox.is_selected() == enabled

    def add_user_auth_type(self, auth_type, save=False):
        """
        Select user auth type
        :param auth_type: one of password, radius, otp, pkinit, hardened, idp
        or passkey
        """
        s_checkbox = 'div[name="ipauserauthtype"] input[value="{}"]'.format(
            auth_type)
        checkbox = self.find(s_checkbox, By.CSS_SELECTOR, strict=True)
        if not checkbox.is_selected():
            checkbox.click()
        if save:
            self.facet_button_click('save')


@pytest.mark.tier1
class test_user(user_tasks):

    @screenshot
    def test_crud(self):
        """
        Basic CRUD: user
        """
        self.init_app()
        data = self.add_default_email_for_validation(user.DATA)
        self.basic_crud(user.ENTITY, data)

    @screenshot
    def test_associations(self):
        """
        User direct associations
        """

        self.init_app()

        # prepare - add user, group, netgroup, role, hbac rule, sudo rule
        # ---------------------------------------------------------------
        self.add_record(user.ENTITY, user.DATA, navigate=False)
        self.add_record(group.ENTITY, group.DATA)
        self.add_record(netgroup.ENTITY, netgroup.DATA)
        self.add_record(rbac.ROLE_ENTITY, rbac.ROLE_DATA)
        self.add_record(hbac.RULE_ENTITY, hbac.RULE_DATA)
        self.add_record(sudo.RULE_ENTITY, sudo.RULE_DATA)

        # add & remove associations
        # -------------------------
        self.navigate_to_entity(user.ENTITY)
        self.navigate_to_record(user.PKEY)

        self.add_associations([group.PKEY, 'editors'],
                              facet='memberof_group', delete=True)
        self.add_associations([netgroup.PKEY],
                              facet='memberof_netgroup', delete=True)
        self.add_associations([rbac.ROLE_PKEY],
                              facet='memberof_role', delete=True)
        self.add_associations([hbac.RULE_PKEY],
                              facet='memberof_hbacrule', delete=True)
        self.add_associations([sudo.RULE_PKEY],
                              facet='memberof_sudorule', delete=True)

        # cleanup
        # -------
        self.delete(user.ENTITY, [user.DATA])
        self.delete(group.ENTITY, [group.DATA])
        self.delete(netgroup.ENTITY, [netgroup.DATA])
        self.delete(rbac.ROLE_ENTITY, [rbac.ROLE_DATA])
        self.delete(hbac.RULE_ENTITY, [hbac.RULE_DATA])
        self.delete(sudo.RULE_ENTITY, [sudo.RULE_DATA])

    @screenshot
    def test_indirect_associations(self):
        """
        User indirect associations
        """
        self.init_app()

        # add
        # ---
        self.add_record(user.ENTITY, user.DATA, navigate=False)

        self.add_record(group.ENTITY, group.DATA)
        self.navigate_to_record(group.PKEY)
        self.add_associations([user.PKEY])

        self.add_record(group.ENTITY, group.DATA2)
        self.navigate_to_record(group.PKEY2)
        self.add_associations([group.PKEY], facet='member_group')

        self.add_record(netgroup.ENTITY, netgroup.DATA)
        self.navigate_to_record(netgroup.PKEY)
        self.add_table_associations('memberuser_group', [group.PKEY2])

        self.add_record(rbac.ROLE_ENTITY, rbac.ROLE_DATA)
        self.navigate_to_record(rbac.ROLE_PKEY)
        self.add_associations([group.PKEY2], facet='member_group')

        self.add_record(hbac.RULE_ENTITY, hbac.RULE_DATA)
        self.navigate_to_record(hbac.RULE_PKEY)
        self.add_table_associations('memberuser_group', [group.PKEY2])

        self.add_record(sudo.RULE_ENTITY, sudo.RULE_DATA)
        self.navigate_to_record(sudo.RULE_PKEY)
        self.add_table_associations('memberuser_group', [group.PKEY2])

        # check indirect associations
        # ---------------------------
        self.navigate_to_entity(user.ENTITY, 'search')
        self.navigate_to_record(user.PKEY)

        self.assert_indirect_record(group.PKEY2, user.ENTITY, 'memberof_group')
        self.assert_indirect_record(netgroup.PKEY,
                                    user.ENTITY, 'memberof_netgroup')
        self.assert_indirect_record(rbac.ROLE_PKEY,
                                    user.ENTITY, 'memberof_role')
        self.assert_indirect_record(hbac.RULE_PKEY,
                                    user.ENTITY, 'memberof_hbacrule')
        self.assert_indirect_record(sudo.RULE_PKEY,
                                    user.ENTITY, 'memberof_sudorule')

        # cleanup
        # -------
        self.delete(user.ENTITY, [user.DATA])
        self.delete(group.ENTITY, [group.DATA, group.DATA2])
        self.delete(netgroup.ENTITY, [netgroup.DATA])
        self.delete(rbac.ROLE_ENTITY, [rbac.ROLE_DATA])
        self.delete(hbac.RULE_ENTITY, [hbac.RULE_DATA])
        self.delete(sudo.RULE_ENTITY, [sudo.RULE_DATA])

    @screenshot
    def test_actions(self):
        """
        Test user actions
        """
        self.init_app()

        self.add_record(user.ENTITY, user.DATA, navigate=False)
        self.navigate_to_record(user.PKEY)

        self.disable_action()
        self.enable_action()

        # reset password
        pwd = self.config.get('ipa_password')
        self.reset_password_action(pwd)
        self.assert_text_field('has_password', '******')

        # unlock option should be disabled for new user
        self.assert_action_list_action('unlock', enabled=False)

        # delete
        self.delete_action(user.ENTITY, user.PKEY, action='delete_active_user')

    @screenshot
    def test_certificates(self):
        """
        Test user certificate actions

        Requires to have CA installed.
        """

        if not self.has_ca():
            self.skip('CA is not configured')

        self.init_app()
        cert_widget_sel = "div.certificate-widget"

        self.add_record(user.ENTITY, user.DATA)
        self.wait()
        self.close_notifications()
        self.navigate_to_record(user.PKEY)

        # cert request
        csr = generate_csr(user.PKEY, False)

        self.action_list_action('request_cert', confirm=False)
        self.wait(seconds=2)
        self.assert_dialog()
        self.fill_text("textarea[name='csr']", csr)
        self.dialog_button_click('issue')
        self.wait_for_request(n=2, d=3)
        self.assert_visible(cert_widget_sel)

        # cert view
        self.action_list_action('view', confirm=False,
                                parents_css_sel=cert_widget_sel)
        self.assert_dialog()
        self.dialog_button_click('close')

        # cert get
        self.action_list_action('get', confirm=False,
                                parents_css_sel=cert_widget_sel)
        self.assert_dialog()
        # check that the textarea is not empty
        self.assert_empty_value('textarea.certificate', negative=True)
        self.dialog_button_click('close')

        # cert download - we can only try to click the download action
        self.action_list_action('download', confirm=False,
                                parents_css_sel=cert_widget_sel)

        # check that revoke action is enabled
        self.assert_action_list_action('revoke',
                                       parents_css_sel=cert_widget_sel,
                                       facet_actions=False)

        # check that remove_hold action is not enabled
        self.assert_action_list_action('remove_hold', enabled=False,
                                       parents_css_sel=cert_widget_sel,
                                       facet_actions=False)

        # cert revoke
        self.action_list_action('revoke', confirm=False,
                                parents_css_sel=cert_widget_sel)
        self.wait()
        self.select('select', '6')
        self.dialog_button_click('ok')
        self.wait_for_request(n=2, d=3)
        self.assert_visible(cert_widget_sel + " div.watermark")

        # check that revoke action is not enabled
        self.assert_action_list_action('revoke', enabled=False,
                                       parents_css_sel=cert_widget_sel,
                                       facet_actions=False)

        # check that remove_hold action is enabled
        self.assert_action_list_action('remove_hold',
                                       parents_css_sel=cert_widget_sel,
                                       facet_actions=False)

        # cert remove hold
        self.action_list_action('remove_hold', confirm=False,
                                parents_css_sel=cert_widget_sel)
        self.wait()
        self.dialog_button_click('ok')
        self.wait_for_request(n=2)

        # check that revoke action is enabled
        self.assert_action_list_action('revoke',
                                       parents_css_sel=cert_widget_sel,
                                       facet_actions=False)

        # check that remove_hold action is not enabled
        self.assert_action_list_action('remove_hold', enabled=False,
                                       parents_css_sel=cert_widget_sel,
                                       facet_actions=False)

        # cleanup
        self.navigate_to_entity(user.ENTITY, 'search')
        self.delete_record(user.PKEY, user.DATA.get('del'))

    @screenshot
    def test_certificate_serial(self):
        """Test long certificate serial no
        Long certificate serial no were shown in scientific notation
        at user details page. This test checks that it is no longer shown
        in scientific notation
        related:https://pagure.io/freeipa/issue/8754
        """
        if not self.has_ca():
            self.skip('CA is not configured')

        self.init_app()

        self.add_record(user.ENTITY, user.DATA2)
        self.wait()
        self.close_notifications()
        self.navigate_to_record(user.PKEY2)

        self.add_cert_to_record(user.USER_CERT, user.PKEY2, save=False)
        # check if the cert serial is 264374074076456325397645183544606453821
        self.assert_text(
            'div[name="cert-serial-num"]',
            '264374074076456325397645183544606453821'
        )

        # cleanup
        self.navigate_to_entity(user.ENTITY, 'search')
        self.delete_record(user.PKEY2, user.DATA2.get('del'))

    @screenshot
    def test_password_expiration_notification(self):
        """
        Test password expiration notification
        """

        pwd = self.config.get('ipa_password')

        self.init_app()

        self.set_ipapwdexpadvnotify('15')

        # create user and group and add user to that group
        self.add_record(user.ENTITY, user.DATA)
        self.add_record(group.ENTITY, group.DATA)
        self.navigate_to_entity(group.ENTITY)
        self.navigate_to_record(group.PKEY)
        self.add_associations([user.PKEY])

        # password policy for group
        self.add_record('pwpolicy', {
            'pkey': group.PKEY,
            'add': [
                ('combobox', 'cn', group.PKEY),
                ('textbox', 'cospriority', '12345'),
            ]})
        self.navigate_to_record(group.PKEY)
        self.mod_record('pwpolicy', {
            'pkey': group.PKEY,
            'mod': [
                ('textbox', 'krbmaxpwdlife', '7'),
                ('textbox', 'krbminpwdlife', '0'),
            ]})

        # reset password
        self.navigate_to_record(user.PKEY, entity=user.ENTITY)
        self.reset_password_action(pwd)

        # re-login as new user
        self.logout()
        self.init_app(user.PKEY, pwd)

        header = self.find('.navbar-pf', By.CSS_SELECTOR)
        self.assert_text(
            '.header-passwordexpires',
            'Your password expires in 6 days.',
            header)

        # test password reset
        self.profile_menu_action('password_reset')
        self.fill_password_dialog(pwd, pwd)

        # cleanup
        self.logout()
        self.init_app()
        self.set_ipapwdexpadvnotify('4')
        self.delete(user.ENTITY, [user.DATA])
        self.delete(group.ENTITY, [group.DATA])

    def set_ipapwdexpadvnotify(self, days):
        """
        Set ipa config "Password Expiration Notification (days)" field
        """

        self.navigate_to_entity('config')
        self.mod_record('config', {
            'mod': [
                ('textbox', 'ipapwdexpadvnotify', days),
            ]
        })

    def reset_password_action(self, password):
        """
        Execute reset password action
        """

        self.action_list_action('reset_password', False)
        self.fill_password_dialog(password)

    def fill_password_dialog(self, password, current=None):
        """
        Fill password dialog
        """

        self.assert_dialog()

        fields = [
            ('password', 'password', password),
            ('password', 'password2', password),
        ]

        if current:
            fields.append(('password', 'current_password', current))

        self.fill_fields(fields)
        self.dialog_button_click('confirm')
        self.wait_for_request(n=3)
        self.assert_no_error_dialog()

    @screenshot
    def test_grace_login_limit(self):
        """
        Verify existence of grace login limit field and its
        value based on pwpolicy value

        Related: https://pagure.io/freeipa/issue/9211
        """
        self.init_app()
        self.add_record(group.ENTITY, [group.DATA])
        # add record DATA8 already with passwordgracelimit
        self.add_record(pwpolicy.ENTITY, [pwpolicy.DATA8])

        self.navigate_to_record(group.PKEY)
        # fill with values from DATA8, passwordgracelimit has value 42
        self.fill_fields(pwpolicy.DATA8['mod'])
        try:
            # click save if needed
            self.button_click('save')
        except AssertionError:
            # autosave active
            pass

        # add record itest-user
        self.add_record(user.ENTITY, user.DATA)
        # add itest-user to itest-group
        self.navigate_to_entity(group.ENTITY)
        self.navigate_to_record(group.PKEY)
        self.add_associations([user.PKEY])
        self.navigate_to_record(user.PKEY, entity=user.ENTITY)

        self.facet_button_click('refresh')
        self.wait(2)
        field = 'passwordgracelimit'
        # password grace limit is currently on the 10th place
        expected_value = pwpolicy.DATA8['mod'][9][2]
        current_value = self.get_field_value(field, element="input")
        try:
            assert current_value == expected_value
        finally:
            # cleanup
            self.delete(user.ENTITY, [user.DATA])
            self.delete(group.ENTITY, [group.DATA])
            self.delete(pwpolicy.ENTITY, [pwpolicy.DATA8])


    @screenshot
    def test_login_without_username(self):
        """
        Try to login with no username provided
        """
        self.init_app(login='', password='xxx123')

        alert_e = self.find('.alert[data-name="username"]',
                            By.CSS_SELECTOR)
        assert 'Username: Required field' in alert_e.text, 'Alert expected'
        assert self.login_screen_visible()

    @screenshot
    def test_disable_delete_admin(self):
        """
        Test disabling/deleting admin is not allowed
        """
        self.init_app()
        self.navigate_to_entity(user.ENTITY)

        # try to disable admin user
        self.select_record('admin')
        self.facet_button_click('disable')
        self.dialog_button_click('ok')
        self.assert_last_error_dialog(ERR_ADMIN_DISABLE, details=True)
        self.dialog_button_click('ok')
        self.assert_record('admin')

        # try to delete admin user. Later we are
        # confirming by keyboard to test also ticket 4097
        self.select_record('admin')
        self.facet_button_click('remove')
        self.dialog_button_click('ok')
        self.assert_last_error_dialog(ERR_ADMIN_DEL, details=True)
        actions = ActionChains(self.driver)
        actions.send_keys(Keys.TAB)
        actions.send_keys(Keys.ENTER).perform()
        self.wait(0.5)
        self.assert_record('admin')

    @screenshot
    def test_add_user_special(self):
        """
        Test various add user special cases
        """

        self.init_app()

        # Test invalid characters (#@*?) in login
        self.navigate_to_entity(user.ENTITY)
        self.facet_button_click('add')
        self.fill_textbox('uid', 'itest-user#')
        self.assert_field_validation(ERR_INCLUDE)
        self.fill_textbox('uid', 'itest-user@')
        self.assert_field_validation(ERR_INCLUDE)
        self.fill_textbox('uid', 'itest-user*')
        self.assert_field_validation(ERR_INCLUDE)
        self.fill_textbox('uid', 'itest-user?')
        self.assert_field_validation(ERR_INCLUDE)
        self.dialog_button_click('cancel')

        # Add an user with special chars
        self.basic_crud(user.ENTITY, user.DATA_SPECIAL_CHARS)

        # Add an user with long login (should FAIL)
        self.add_record(user.ENTITY, user.DATA_LONG_LOGIN, negative=True)
        self.assert_last_error_dialog(expected_err=LONG_LOGIN)
        self.close_all_dialogs()

        # Test password mismatch
        self.add_record(user.ENTITY, user.DATA_PASSWD_MISMATCH, negative=True)
        pass_e = self.find('.widget[name="userpassword2"]', By.CSS_SELECTOR)
        self.assert_field_validation(ERR_MISMATCH, parent=pass_e)
        self.dialog_button_click('cancel')
        self.assert_record(user.DATA_PASSWD_MISMATCH.get('pkey'),
                           negative=True)

        # test add and edit record
        self.add_record(user.ENTITY, user.DATA2, dialog_btn='add_and_edit')
        self.action_list_action('delete_active_user')

        # click add and cancel
        self.add_record(user.ENTITY, user.DATA, dialog_btn='cancel')

        # add leading space before password (should SUCCEED)
        self.navigate_to_entity(user.ENTITY)
        self.facet_button_click('add')
        self.fill_fields(user.DATA_PASSWD_LEAD_SPACE['add'])
        self.dialog_button_click('add')

        # add trailing space before password (should SUCCEED)
        self.navigate_to_entity(user.ENTITY)
        self.facet_button_click('add')
        self.fill_fields(user.DATA_PASSWD_TRAIL_SPACE['add'])
        self.dialog_button_click('add')

        # add user using enter
        self.add_record(user.ENTITY, user.DATA2, negative=True)
        actions = ActionChains(self.driver)
        actions.send_keys(Keys.ENTER).perform()
        self.wait()
        self.assert_notification(assert_text=USR_ADDED)
        self.assert_record(user.PKEY2)
        self.close_notifications()

        # delete user using enter
        self.select_record(user.PKEY2)
        self.facet_button_click('remove')
        actions.send_keys(Keys.ENTER).perform()
        self.wait(0.5)
        self.assert_notification(assert_text='1 item(s) deleted')
        self.assert_record(user.PKEY2, negative=True)

    @screenshot
    def test_add_delete_undo_reset_multivalue(self):
        """
        Test add and delete multivalue with reset and undo
        """
        self.init_app()

        first_mail = self.create_email_addr(user.DATA.get('pkey'))

        self.add_record(user.ENTITY, user.DATA)
        self.wait()
        self.close_notifications()
        self.navigate_to_record(user.DATA.get('pkey'))

        # add a new mail (without save) and reset
        self.add_multivalued('mail', 'temp@ipa.test')
        self.assert_undo_button('mail')
        self.facet_button_click('revert')
        self.assert_undo_button('mail', visible=False)

        # click at delete on the first mail and reset
        self.del_multivalued('mail', first_mail)
        self.assert_undo_button('mail')
        self.facet_button_click('revert')
        self.assert_undo_button('mail', visible=False)

        # edit the first mail and reset
        self.edit_multivalued('mail', first_mail, 'temp@ipa.test')
        self.assert_undo_button('mail')
        self.facet_button_click('revert')
        self.assert_undo_button('mail', visible=False)

        # add a new mail and undo
        self.add_multivalued('mail', 'temp@ipa.test')
        self.assert_undo_button('mail')
        self.undo_multivalued('mail', 'temp@ipa.test')
        self.assert_undo_button('mail', visible=False)

        # edit the first mail and undo
        self.edit_multivalued('mail', first_mail, 'temp@ipa.test')
        self.assert_undo_button('mail')
        self.undo_multivalued('mail', 'temp@ipa.test')
        self.assert_undo_button('mail', visible=False)

        # cleanup
        self.delete(user.ENTITY, [user.DATA])

    @screenshot
    def test_user_misc(self):
        """
        Test various miscellaneous test cases under one roof to save init time
        """
        self.init_app()

        # add already existing user (should fail) / also test ticket 4098
        self.add_record(user.ENTITY, user.DATA)
        self.add_record(user.ENTITY, user.DATA, negative=True,
                        pre_delete=False)
        self.assert_last_error_dialog(USR_EXIST.format(user.PKEY))
        actions = ActionChains(self.driver)
        actions.send_keys(Keys.TAB)
        actions.send_keys(Keys.ENTER).perform()
        self.wait(0.5)
        self.dialog_button_click('cancel')

        # add user without login name
        self.add_record(user.ENTITY, user.DATA_NO_LOGIN)
        self.assert_record('nsurname10')

        # try to add same user without login name again (should fail)
        self.add_record(user.ENTITY, user.DATA_NO_LOGIN, negative=True,
                        pre_delete=False)
        self.assert_last_error_dialog(USR_EXIST.format('nsurname10'))
        self.close_all_dialogs()

        # try to modify user`s UID to -1 (should fail)
        self.navigate_to_record(user.PKEY)
        self.mod_record(
            user.ENTITY, {'mod': [('textbox', 'uidnumber', '-1')]},
            negative=True)
        uid_e = self.find('.widget[name="uidnumber"]', By.CSS_SELECTOR)
        self.assert_field_validation('Minimum value is 1', parent=uid_e)
        self.facet_button_click('revert')

        # edit user`s "First name" to value with leading space (should fail)
        self.fill_input('givenname', ' leading_space')
        self.facet_button_click('save')
        self.assert_last_error_dialog(INV_FIRSTNAME)
        self.dialog_button_click('cancel')

        # edit user`s "First name" to value with trailing space (should fail)
        self.fill_input('givenname', 'trailing_space ')
        self.facet_button_click('save')
        self.assert_last_error_dialog(INV_FIRSTNAME)
        self.dialog_button_click('cancel')

        # try with blank "First name" (should fail)
        gn_input_s = "input[type='text'][name='givenname']"
        gn_input_el = self.find(gn_input_s, By.CSS_SELECTOR, strict=True)
        gn_input_el.clear()
        gn_input_el.send_keys(Keys.BACKSPACE)
        self.facet_button_click('save')
        gn_e = self.find('.widget[name="givenname"]', By.CSS_SELECTOR)
        self.assert_field_validation(FIELD_REQ, parent=gn_e)
        self.close_notifications()

        # search user / multiple users
        self.navigate_to_entity(user.ENTITY)
        self.wait(0.5)
        self.find_record('user', user.DATA)
        self.add_record(user.ENTITY, user.DATA2)
        self.find_record('user', user.DATA2)
        # search for both users (just 'itest-user' will do)
        self.find_record('user', user.DATA)
        self.assert_record(user.PKEY2)

        # cleanup
        self.delete_record([user.PKEY, user.PKEY2, user.PKEY_NO_LOGIN,
                            'nsurname10'])

    @screenshot
    def test_menu_click_minimized_window(self):
        """
        Test if menu is clickable when there is notification
        in minimized browser window.

        related: https://pagure.io/freeipa/issue/8120
        """
        self.init_app()

        self.driver.set_window_size(570, 600)
        self.add_record(user.ENTITY, user.DATA2, negative=True)
        self.assert_notification(assert_text=USR_ADDED)
        menu_button = self.find('.navbar-toggle', By.CSS_SELECTOR)
        menu_button.click()
        self.assert_record(user.PKEY2)
        self.close_notifications()
        self.driver.maximize_window()

        # cleanup
        self.delete(user.ENTITY, [user.DATA2])

    @screenshot
    def test_enabled_by_default(self):
        """
        Test if valid user created in both ca and
        caless env is enabled by default.

        https://pagure.io/freeipa/issue/8203
        """
        self.init_app()

        # check if the user is enabled
        self.add_record(user.ENTITY, user.DATA, navigate=False)
        self.assert_record_value(expected="Enabled",
                                 pkeys=user.PKEY,
                                 column="nsaccountlock")

        self.navigate_to_record(user.PKEY)
        self.assert_action_list_action("disable", visible=True, enabled=True)
        self.assert_action_list_action("reset_password",
                                       visible=True, enabled=True)

        # add OTP authentication type and verify the change is persistent
        self.add_user_auth_type("otp", save=True)
        self.assert_user_auth_type("otp", enabled=True)


@pytest.mark.tier1
class test_user_no_private_group(UI_driver):

    @screenshot
    def test_noprivate_nonposix(self):
        """
        User without private group and without specified GID
        """
        self.init_app()

        with pytest.raises(AssertionError) as e:
            self.add_record(user.ENTITY, user.DATA3)
        assert (str(e.value) == 'Unexpected error: Default group for new '
                'users is not POSIX')

    @screenshot
    def test_noprivate_posix(self):
        """
        User without private group and specified existing posix GID
        """
        self.init_app()
        self.add_record(group.ENTITY, group.DATA6)

        self.add_record(user.ENTITY, user.DATA4)
        self.delete(user.ENTITY, [user.DATA4])

        self.delete(group.ENTITY, [group.DATA6])

    @screenshot
    def test_noprivate_gidnumber(self):
        """
        User without private group and specified unused GID
        """
        self.init_app()

        self.add_record(user.ENTITY, user.DATA4, combobox_input='gidnumber')
        self.delete(user.ENTITY, [user.DATA4])


@pytest.mark.tier1
class TestLifeCycles(UI_driver):

    @screenshot
    def test_life_cycles(self):
        """
        Test user life-cycles
        """

        self.init_app()

        # create "itest-user" and send him to preserved
        self.add_record(user.ENTITY, user.DATA)
        self.delete_record(user.PKEY, confirm_btn=None)
        self.check_option('preserve', value='true')
        self.dialog_button_click('ok')
        self.assert_notification(assert_text='1 item(s) deleted')

        # try to add the same user again (should fail)
        self.add_record(user.ENTITY, user.DATA, negative=True)
        self.assert_last_error_dialog(USR_EXIST.format(user.PKEY))
        self.close_all_dialogs()
        self.wait()

        # restore "itest-user" user
        self.switch_to_facet('search_preserved')
        self.select_record(user.PKEY)
        self.button_click('undel')
        self.dialog_button_click('ok')
        self.assert_no_error_dialog()
        self.assert_notification(assert_text='1 user(s) restored')
        self.wait()

        # add already existing user "itest-user" to stage and try to activate
        # the latter (should fail)
        self.add_record('stageuser', user.DATA)
        self.select_record(user.PKEY)
        self.button_click('activate')
        self.dialog_button_click('ok')

        err_msg = ACTIVE_ERR.format(user.PKEY)
        self.assert_last_error_dialog(err_msg, details=True)
        self.dialog_button_click('ok')

        # delete "itest-user" staged user
        self.delete_record(user.PKEY)
        self.assert_record(user.PKEY, negative=True)

        # add "itest-user2" and send him to staged (through preserved)
        self.close_all_dialogs()
        self.add_record(user.ENTITY, user.DATA2)
        self.delete_record(user.PKEY2, confirm_btn=None)
        self.check_option('preserve', value='true')
        self.dialog_button_click('ok')
        self.switch_to_facet('search_preserved')
        self.select_record(user.PKEY2)
        self.button_click('batch_stage')
        self.dialog_button_click('ok')
        self.assert_no_error_dialog()
        self.wait(2)
        # fix assert after https://pagure.io/freeipa/issue/7477 is closed
        self.assert_notification(assert_text='1 users(s) staged')

        # add new "itest-user2" - one is already staged (should pass)
        self.add_record(user.ENTITY, user.DATA2)
        self.assert_record(user.PKEY2)

        # send active "itest-user2" to preserved
        self.delete_record(user.PKEY2, confirm_btn=None)
        self.check_option('preserve', value='true')
        self.dialog_button_click('ok')

        # try to activate staged "itest-user2" while one is already preserved
        # (should fail)
        self.navigate_to_entity('stageuser')
        self.select_record(user.PKEY2)
        self.button_click('activate')
        self.dialog_button_click('ok')
        self.assert_last_error_dialog(ENTRY_EXIST, details=True)
        self.dialog_button_click('ok')

        # delete preserved "itest-user2" and activate the staged one
        # (should pass)
        self.switch_to_facet('search_preserved')
        self.delete_record(user.PKEY2)
        self.navigate_to_entity('stageuser')
        self.select_record(user.PKEY2)
        self.button_click('activate')
        self.wait()
        self.dialog_button_click('ok')
        self.assert_notification(assert_text='1 user(s) activated')

        # send multiple records to preserved
        self.navigate_to_entity('stageuser')
        self.navigate_to_entity(user.ENTITY)
        self.delete_record([user.PKEY, user.PKEY2],
                           confirm_btn=None)
        self.check_option('preserve', value='true')
        self.dialog_button_click('ok')
        self.assert_notification(assert_text='2 item(s) deleted')

        # restore multiple records
        self.switch_to_facet('search_preserved')
        self.select_multiple_records([user.DATA, user.DATA2])
        self.button_click('undel')
        self.dialog_button_click('ok')
        self.assert_no_error_dialog()
        self.assert_notification(assert_text='2 user(s) restored')
        self.wait()

        # send multiple users to staged (through preserved)
        self.navigate_to_entity(user.ENTITY)
        self.delete_record([user.PKEY, user.PKEY2],
                           confirm_btn=None)
        self.check_option('preserve', value='true')
        self.dialog_button_click('ok')
        self.switch_to_facet('search_preserved')
        self.select_multiple_records([user.DATA, user.DATA2])
        self.button_click('batch_stage')
        self.dialog_button_click('ok')
        self.assert_no_error_dialog()
        self.wait(2)
        self.assert_notification(assert_text='2 users(s) staged')

        # activate multiple users from stage
        self.navigate_to_entity('stageuser')
        self.select_multiple_records([user.DATA, user.DATA2])
        self.button_click('activate')
        self.dialog_button_click('ok')
        self.assert_notification(assert_text='2 user(s) activated')

        # try to disable record from user page
        self.navigate_to_entity(user.ENTITY)
        self.select_record(user.PKEY)
        self.facet_button_click('disable')
        self.dialog_button_click('ok')
        self.assert_record_value('Disabled', user.PKEY,
                                 'nsaccountlock')

        # try to disable same record again (should fail)
        self.select_record(user.PKEY)
        self.facet_button_click('disable')
        self.dialog_button_click('ok')
        self.assert_last_error_dialog(DISABLED, details=True)
        self.dialog_button_click('ok')

        # enable the user again
        self.select_record(user.PKEY)
        self.facet_button_click('enable')
        self.dialog_button_click('ok')
        self.assert_record_value('Enabled', user.PKEY,
                                 'nsaccountlock')

        # same for multiple users (disable, disable again, enable)
        self.select_multiple_records([user.DATA, user.DATA2])
        self.facet_button_click('disable')
        self.dialog_button_click('ok')
        self.assert_record_value('Disabled', [user.PKEY, user.PKEY2],
                                 'nsaccountlock')

        self.select_multiple_records([user.DATA, user.DATA2])
        self.facet_button_click('disable')
        self.dialog_button_click('ok')
        self.assert_last_error_dialog(DISABLED, details=True)
        self.dialog_button_click('ok')

        self.select_multiple_records([user.DATA, user.DATA2])
        self.facet_button_click('enable')
        self.dialog_button_click('ok')
        self.assert_record_value('Enabled', [user.PKEY, user.PKEY2],
                                 'nsaccountlock')

        # cleanup and check for ticket 4245 (select all should not remain
        # checked after delete action). Two "ok" buttons at the end are needed
        # for delete confirmation and acknowledging that "admin" cannot be
        # deleted.
        self.navigate_to_entity(user.ENTITY)
        select_all_btn = self.find('input[title="Select All"]',
                                   By.CSS_SELECTOR)
        select_all_btn.click()
        self.facet_button_click('remove')
        self.dialog_button_click('ok')
        self.dialog_button_click('ok')
        self.assert_value_checked('admin', 'uid', negative=True)


@pytest.mark.tier1
class TestSSHkeys(UI_driver):

    @screenshot
    def test_ssh_keys(self):

        self.init_app()

        # add and undo SSH key
        self.add_sshkey_to_record(user.SSH_RSA, 'admin', save=False,
                                  navigate=True)
        self.assert_num_ssh_keys(1)
        self.undo_ssh_keys()
        self.assert_num_ssh_keys(0)

        # add and undo 2 SSH keys (using undo all)
        ssh_keys = [user.SSH_RSA, user.SSH_DSA]

        self.add_sshkey_to_record(ssh_keys, 'admin', save=False)
        self.assert_num_ssh_keys(2)
        self.undo_ssh_keys(btn_name='undo_all')
        self.assert_num_ssh_keys(0)

        # add SSH key and refresh
        self.add_sshkey_to_record(user.SSH_RSA, 'admin', save=False)
        self.assert_num_ssh_keys(1)
        self.facet_button_click('refresh')
        self.assert_num_ssh_keys(0)

        # add SSH key and revert
        self.add_sshkey_to_record(user.SSH_RSA, 'admin', save=False)
        self.assert_num_ssh_keys(1)
        self.facet_button_click('revert')
        self.assert_num_ssh_keys(0)

        # add SSH key, move elsewhere and cancel.
        self.add_sshkey_to_record(user.SSH_RSA, 'admin', save=False)
        self.assert_num_ssh_keys(1)
        self.switch_to_facet('memberof_group')
        self.dialog_button_click('cancel')
        self.assert_num_ssh_keys(1)
        self.undo_ssh_keys()

        # add SSH key, move elsewhere and click reset button.
        self.add_sshkey_to_record(user.SSH_RSA, 'admin', save=False)
        self.assert_num_ssh_keys(1)
        self.switch_to_facet('memberof_group')
        self.wait_for_request()
        self.dialog_button_click('revert')
        self.wait()
        self.switch_to_facet('details')
        self.assert_num_ssh_keys(0)

        # add SSH key, move elsewhere and click save button.
        self.add_sshkey_to_record(user.SSH_RSA, 'admin', save=False)
        self.assert_num_ssh_keys(1)
        self.switch_to_facet('memberof_group')
        self.wait()
        self.dialog_button_click('save')
        self.wait_for_request(n=4)
        self.switch_to_facet('details')
        self.assert_num_ssh_keys(1)
        self.delete_record_sshkeys('admin')

        # add, save and delete RSA and DSA keys
        keys = [user.SSH_RSA, user.SSH_DSA]

        self.add_sshkey_to_record(keys, 'admin')
        self.assert_num_ssh_keys(2)
        self.delete_record_sshkeys('admin')
        self.assert_num_ssh_keys(0)

        # add RSA SSH keys with trailing space and "=" sign at the end
        keys = [user.SSH_RSA+" ", user.SSH_RSA2+"="]

        self.add_sshkey_to_record(keys, 'admin')
        self.assert_num_ssh_keys(2)
        self.delete_record_sshkeys('admin')
        self.assert_num_ssh_keys(0)

        # lets try to add empty SSH key (should fail)
        self.add_sshkey_to_record('', 'admin')
        self.assert_last_error_dialog(EMPTY_MOD)
        self.dialog_button_click('cancel')
        self.undo_ssh_keys()

        # try to add invalid SSH key
        self.add_sshkey_to_record('invalid_key', 'admin')
        self.assert_last_error_dialog(INVALID_SSH_KEY)
        self.dialog_button_click('cancel')
        self.undo_ssh_keys()

        # add duplicate SSH keys
        self.add_sshkey_to_record(user.SSH_RSA, 'admin')
        self.add_sshkey_to_record(user.SSH_RSA, 'admin', save=False)
        self.facet_button_click('save')
        self.assert_last_error_dialog(EMPTY_MOD)
        self.dialog_button_click('cancel')

        # test SSH key edit when user lacks write rights for related attribute
        # see ticket 3800 (we use DATA_SPECIAL_CHARS just for convenience)
        self.add_record(user.ENTITY, [user.DATA2, user.DATA_SPECIAL_CHARS])
        self.add_sshkey_to_record(user.SSH_RSA, user.PKEY2, navigate=True)

        self.logout()
        self.init_app(user.PKEY_SPECIAL_CHARS, user.PASSWD_SCECIAL_CHARS)

        self.navigate_to_record(user.PKEY2, entity=user.ENTITY)

        show_ssh_key_btn = self.find('div.widget .btn[name="ipasshpubkey-0"]',
                                     By.CSS_SELECTOR)
        show_ssh_key_btn.click()
        ssh_key_e = self.find('textarea', By.CSS_SELECTOR, self.get_dialog())

        assert ssh_key_e.get_attribute('readonly') == 'true'
        self.dialog_button_click('cancel')
        self.logout()
        self.init_app()

        # cleanup
        self.delete(user.ENTITY, [user.DATA2, user.DATA_SPECIAL_CHARS])
        self.delete_record_sshkeys('admin', navigate=True)
